1## 9.5\. Multi-User Support
2
3Android includes [support for multiple users](
4http://developer.android.com/reference/android/os/UserManager.html)
5and provides support for full user isolation.
6
7*    Device implementations MAY but SHOULD NOT enable multi-user if they use
8[removable media](
9http://developer.android.com/reference/android/os/Environment.html)
10for primary external storage.
11
12If device implementations include multiple users, they:
13
14*   [C-1-1] MUST meet the following requirements related to
15[multi-user support](
16http://source.android.com/devices/storage/traditional.html).
17*   [C-1-2] MUST, for each user, implement a security
18model consistent with the Android platform security model as defined in
19[Security and Permissions reference document](
20http://developer.android.com/guide/topics/security/permissions.html)
21in the APIs.
22*   [C-1-3] MUST have separate and isolated shared application storage
23(a.k.a. `/sdcard`) directories for each user instance.
24*   [C-1-4] MUST ensure that applications owned by and running on behalf a
25given user cannot list, read, or write to the files owned by any other user,
26even if the data of both users are stored on the same volume or filesystem.
27*   [C-1-5] MUST encrypt the contents of the SD card when multiuser is enabled
28using a key stored only on non-removable media accessible only to the system if
29device implementations use removable media for the external storage APIs.
30As this will make the media unreadable by a host PC, device implementations
31will be required to switch to MTP or a similar system to provide host PCs with
32access to the current user’s data.
33
34If device implementations include multiple users and
35do not declare the `android.hardware.telephony` feature flag, they:
36
37*   [C-2-1] MUST support restricted profiles,
38a feature that allows device owners to manage additional users and their
39capabilities on the device. With restricted profiles, device owners can quickly
40set up separate environments for additional users to work in, with the ability
41to manage finer-grained restrictions in the apps that are available in those
42environments.
43
44If device implementations include multiple users and
45declare the `android.hardware.telephony` feature flag, they:
46
47*   [C-3-1] MUST NOT support restricted profiles but MUST align with the AOSP
48implementation of controls to enable /disable other users from accessing the
49voice calls and SMS.
50